Sunday, June 28, 2009
Joomla! Security / Vulnerability Scanner
I stumble across another cool scanner from yegh community. A regularly-updated scanner that can detect file inclusion, sql injection, command execution vulnerabilities of a target Joomla! web site. It's handy utility to check your website after designing on Joomla! platform.
If you are not aware - Joomla is an award-winning content management system (CMS), which enables you to build Web sites and powerful online applications. Many aspects, including its ease-of-use and extensibility, have made Joomla the most popular Web site software available. Best of all, Joomla is an open source solution that is freely available to everyone.
You can download it from here.
Microsoft to release free anti-virus
Windows Security Essentials, the replacement for Windows Live OneCare, the for-a-fee security package that Microsoft is ditching on June 30, will be available for download at approximately noon, Eastern time. The free download will be posted on a new Microsoft site dedicated to Security Essentials (the page will go live Tuesday).
Microsoft has pitched the software as a basic antivirus, antispyware product that consumes less memory and disk space than commercial security suites like those from vendors such as Symantec and McAfee, and so is suitable for even low-powered PCs such as netbooks.
Microsoft has already repeatedly shown a particular incompetence when it comes to identifying and preventing malware, and I personally think this will be a new challenge from Microsoft in this domain.
Microsoft has had bad luck in the past when it has limited the number of downloads for previews of its software. Last January, the company had to restart the launch of Windows 7 Beta after its servers were overwhelmed because users, who had been told Microsoft would cap the downloads, rushed to grab a copy.
In May, when Microsoft offered Windows 7 Release Candidate (RC), it made it clear to users that it wouldn't restrict the number of copies downloaded from its site.
Thursday, June 25, 2009
Adobe Shockwave critical update
Adobe’s Shockwave Player contains a critical vulnerability that could be exploited by remote hackers to take complete control of Windows computers, according to a warning from Adobe.
The flaw affects Adobe Shockwave Player 126.96.36.1996 and earlier versions. Details from Adobe’s advisory:
"This vulnerability could allow an attacker who successfully exploits this vulnerability to take control of the affected system. Adobe has provided a solution for the reported vulnerability (CVE-2009-1860). This issue was previously resolved in Shockwave Player 188.8.131.525; the Shockwave Player 184.108.40.2060 update resolves a backwards compatibility mode variation of the issue with Shockwave Player 10 content. To resolve this issue, Shockwave Player users on Windows should uninstall Shockwave version 220.127.116.116 and earlier on their systems, restart, and install Shockwave version 18.104.22.1680, available here."
This issue is remotely exploitable.
Wednesday, June 24, 2009
Australia's first voiceprint recognition telephone banking
NAB is the first local institution to give customers an opportunity to enrol in a voiceprint recognition system, dispensing with the need to remember PINs and passwords or provide personal information when calling the bank. Customers enrolled in National Australia Bank's new voice biometrics system for phone banking may be able to use the same system to authenticate their internet banking activities.
NAB direct channels speech program manager Sam Jackel said voiceprints could be used as a second-factor authentication method for internet banking transactions independently verified at present via an SMS message sent to the customer's mobile phone. Users had to open the message to retrieve a single-use passcode and enter it into the onscreen session, he said.
Staff tested the voice registration and identity verification system for several weeks and it was being offered initially to customers who had difficulties with the automated check and required personal attention.
After callers have registered their unique voiceprint, they simply recite their individual account number at the beginning of each call and the system will verify their identity before the call centre agent picks up the call. Customer identification and verification used to take two to three minutes a call, but now this has been cut to about 20-30 seconds.
NAB is using Salmat VeCommerce's VeSecure voice biometric technology, which sits on top of VeConnect, a speech recognition system installed earlier this year to allow automatic routing of phone calls to the right service area and to support the launch of a single number, 136 NAB, to manage all NAB customer inquiries.
Sunday, June 21, 2009
Scam Alert: False Friends on Facebook
Hackers are joining your friends on popular social networking sites in a new form of identity theft. They typically trick you into downloading programs that record keystrokes and sit back and wait for you to key in passwords and email address. Then they log on as you and wreak havoc on your social networking life and, possibly, your financial life.
They also use video links, fake antivirus deals and other ruses to get your goat. However, independent research, reveals fallout from the Great Recession includes all kinds of cyber crimes.
To avoid problems on social networks and online in general, an AARP Scam Alert advises:
• Don't click on links in email -- even friends' email -- without checking them out with a phone call or otherwise off line.
• Update software direct from the maker's website, not through a provided link.
• Make your social networking account private, open only to friends.
• Regularly scan your computer for viruses and update operating system as soon as updates are available. The updates often include added protection from current virus attacks.
• Always be suspicious of anyone asking for money or offering to give you large sums of money over the Internet.
Thursday, June 18, 2009
Microsoft Office 2003 is still widely used like Microsoft XP
Step 2. Select General under Load/Save;
Step 4. Choose Microsoft Word 97/2000/XP in the Always save as drop-down menu and click OK.
To make .xls the default worksheet format, open the same dialog box and follow the same steps, with the following differences:
Step 2. Choose Microsoft Excel 97/2000/XP in the Always save as drop-down list and click OK.
If you are using Microsoft Office 2008 but you send these documents to someone they mostly complain that they are still using Microsoft Office 2003 and they are having problem opening the file, here is the interim fix until Microsoft Office 2008 is widely deployed and accepted.
Wednesday, June 10, 2009
Web Trackers Systematically Compromise Users' Privacy
A University of California, Berkeley study found that Web users may be tracked by dozens of sources on a visit to a single site. Within a single month, the researchers found 100 monitoring agents on the site blogspot.com. Although many of the trackers used on blogging sites are low-level monitors used by bloggers to see who is reading their posts, major companies also are tracking a significant amount of Web traffic, according to the report.
The researchers note that many large companies have hundreds or even thousands of affiliates, sometimes in completely different industries, and occasionally in foreign countries. Please refer here to read this interesting research and report on DarkReading.
Sunday, June 7, 2009
Classic Fraud: 6 Scams That Don't Go Away
From Check Fraud to Phishing, All the Old Tricks are Back with a Vengeance
Bank fraud has evolved over the last several years, but some classic variations keep financial institutions busy.
Here are six old fraud tricks that are back with new twists to bedevil fraud departments and information security professionals.
Last week, New York indicted 18 people in a massive check counterfeiting ring that cashed more than $1 million worth of checks at major New York City banks. This case causes even the best fraud departments in financial institutions to check their own programs and safeguards.
Attempted check fraud at U.S. banks totaled $12.2 billion in 2006, according to the latest biennial survey conducted by the American Bankers Association (ABA). Bank prevention systems caught 92 percent or $11.2 billion of check fraud attempts.
Precautions: Employee training is still one of the most effective security measures against check fraud. Other prevention systems include signature verification, screening of new accounts, "positive pay" systems (a computerized check number matching program between banks and corporate customers), special check stock (water marks, micro-printing and/or holograms) and "touch signature" fingerprint programs for cashing non-customers' checks.
Elderly and Immigrant Identity Fraud
Financial institutions' mortgage and loan officers need to pay attention to this kind of fraud. While not new, elderly and immigrant fraud is regaining popularity, especially in the age of identity theft. This is currently happening in some reverse mortgage situations. Similarly, some immigrants who rent properties are discovering that their identities have been used on fabricated loan transactions.
A simple inquiry about a loan product that leverages investment or rental properties can be enough to obtain information for use on fabricated loan transactions. As foreclosure scams also continue to proliferate, loan officers need to keep track of those homeowners, making sure they don't fall prey to these scavengers.
This type of fraud made it into President Barack Obama's speech announcing his cybersecurity initiative, when he said "thieves used stolen credit card information to steal millions of dollars from 130 ATM machines in 49 cities around the world -- and they did it in just 30 minutes." The big question is: Can it happen at your institution?
Phishing continues to change and grow, and crimeware (or malware) is also growing. There is a notable tendency for phishing to become more technical -- for example, using advanced obfuscation to combat anti-spam techniques. At the same time, crimeware (what used to be called malware) is becoming increasingly more reliant on social engineering. Trojan horses commonly use clever social engineering techniques to improve their success rates. Bad guys have been devastatingly effective at tricking end users into installing malware and divulging personal information, but their methods for monetizing this data have been fairly crude. This is starting to change, however, and brokerage accounts are an area of particular concern.
The increased number of "vishing" - or phone-based phishing -- scams hitting regions is cause for alarm. In the last week, there have been five different regions of USA hit by phishers using phone calls to solicit information about the person's credit union or bank account:
•New England Federal Credit Union in Williston, VT reported that a vishing scam hit residents, and the Heritage Family Credit Union in Rutland, VT also reported a similar scam.
•Customers of the Forward Financial Credit Union in Niagara, WI and the River Valley Bank in Iron Mountain, MI received calls last week from fraudsters asking for account information.
•Asheville Savings Bank, Asheville, NC was alerted last week by its customers that a vishing scam targeting area residents was trying to get debit card numbers.
•The final vishing scam of last week targeted all 22,000 residents of Guilford, CT. The calls started coming on May 24. In the Guilford, CT. case, the automated call was a female voice claiming to be from Guilford Savings Bank. It prompted those on the other end of the line to enter bank card and PIN numbers, along with their card's expiration date.
The threat of a trusted employee or vendor taking sensitive information is not new, but the ways that insiders are getting to the juicy data or dollars is changing. Collusion is the new way insiders are getting sensitive data.
To put it into context, people who stole information with the intent to sell it, more than half of them were recruited to do by parties outside of the organization. When fraud is involved with insiders, half of those involved another insider.
Wednesday, June 3, 2009
Criminals are looking for ways to turn browser vulnerabilities into money.
In some cases the security of the browser has had a major impact on Web site design and usability. Browsers present a clear target for identity theft malware, since a lot of personal information flows through the browser at one time or another. This type of malware uses various techniques to steal users' credentials. One of these techniques is form grabbing - basically hooking the browser's internal code for sending form data to capture login information before it is encrypted by the SSL layer.
Another usability feature of the Web browser that has been attacked by malware is the auto-complete functionality. Auto-complete saves the form information in a safe location and presents the user with options for what he typed before into a similar form. Several families of malware,such as the Goldun/Trojan Hearse, used this technique very effectively. The malware cracked the encrypted auto complete data from the browser and send it back to the central server location without even having to wait for the user to log in to the site.
Tuesday, June 2, 2009
Decoding the Internet's Raw Data
The massive amounts of data available on the Internet potentially have infinite uses. For example, advertisers want to mine photos and status updates on social networks to better sell products, while scientists are tracking weather patterns using decades of climate records. Now, U.S. White House officials want to make government data available to the public so citizens can monitor government actions.
The problem is determining how to organize and display such a massive amount of data without having to sift through volumes of spreadsheets. Participants at the recent symposium at the University of Maryland's Human-Computer Interaction Lab focused on solving this problem. "We're trying to understand data and make sense of it visually, but there's no way of evaluating how effective these visuals really are for people," says PricewaterhouseCoopers research manager Mave Houston. Analysts from the U.S. Department of Defense, SAIC, and Lockheed Martin expressed their frustrations with available information visualization tools, which are too complex for novice users, frequently do not work well with user-generated content, and have difficulty handling large amounts of data.
The Human-Computer Interaction Lab is working on ways of linking information, creating user-friendly technology devices, and improving how people interact with the Web. "Our belief is that technology is not just useful as toys or for business," says lab founder Ben Shneiderman. "We're talking about using these technologies for national priorities."
Refer here to read full details about the news.